Eight months ago, the company Panera Bread received a warning explaining its security system had a breach that was potentially exposing millions of their customers’ personal data – even including their credit card information. The company claimed to address the issue and allegedly fixed the breach just this week.
Panera Bread representatives also claimed that the leak was calculated to impact about 10,000 customers or even fewer. They also explained that, since the company takes the data security very seriously, the issue was resolved as soon as they could manage it.
However, the company did not make any comment when asked about the unexistent actions back in August 2017, when the issue was first brought to daylight. Panera Bread released a statement claiming its website was down because they were fixing it.
Taking their time and a possible lie
The American chain of bakery-cafe casual restaurants stated that as the investigation continues, they have evidence of payment card information being “accessed or retrieved.” However, some other records were affected, even though it allegedly represents a small group of customers.
Panera Bread spokespeople claimed they are working hard to conclude the investigation and take further actions on the matter.
Even considering that the statement appears to be very concerning and diligent, some customers are worried about the amount of time that the company took to take actions and face the conflict. Dylan Houlihan, a security researcher from KrebsonSecurity, explained to Nation’s Restaurant News (NRN) that the owner of the security company, Brian Krebs, had warned Panera Bread.
“The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com,” Houlihan said.
He also estimated the potential number of customer records being exposed. It exceeded the 37 million mark, very far from what Panera Bread declared.
Mr. Houlihan had contacted the director of information security of Panera Bread, and explained to him the vulnerability of the customers’ security, considering their full names, addresses, phone number, emails, and last four digits of their credit card numbers were leaked.
The director, Mike Gustavinson, took this as a “sales tactic” and did not believe him. He ultimately ended the conversations via email.
Nevertheless, it is not the first time that Mr. Gustavinson is involved with a company that presents grave breaches, according to the Federal Trade Commission. He worked in Equifax until 2013 as senior director of security operations. The company later leaked the personal data of over 143 million customers in 2017.
‘Panera Bread did not care’
Mr. Houlihan explained that since the emails exchanged between him and Panera Bread were very casually managed, and the director of security claimed they were working on the issue, he decided to leave the company work on its own. Still, as time passed and nothing seemed to change, the researcher went public and argued about the credibility of the company while having proof of the breach.
The statement the researcher released on his Medium website included expressions of him being frustrated and shocked due to the ‘ridiculous’ attitude that Panera Bread had for over eight months. Mr. Houlihan, being a customer of Panera Bread, had an even more significant concern as it was personal as well. However, Mr. Gustavinson decided to respond that he would not be fooled, demanded or restituted or even “listen to a sales pitch.”
“Incremental customer numbers indexed by the site suggest that number may be higher than seven million… the number of customer records exposed in this breach appears to exceed 37 million. Before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn’t extend to all other parts of your business,” Mr. Krebs claimed.
What should the victims do?
Data security issues are nothing strange nowadays, and even one of the largest companies in the world, Facebook, recently had to make public an issue they had on the subject, during the Trump Presidential Campaign. This conflict only represents a growing lack of trust that the users develop against the companies, leaving them with insecurities and doubts about what to do next.
Usually, technicians and analysts advise the companies when they are victims of leaks. Eran Sinai decided to take a different approach and address the public. He is the CEO of ID Theft Recovery. He told Digital Guardian some steps to make yourself feel comfortable if you’ve been a victim of this.
First, it is critical to contact the company that exposed the information and find out how high the damage was. This can be difficult with Panera Bread as multiple calculations were made while the company did not agree to any of them.
Then, Mr. Sinai suggests changing the passwords of every account the victim owns. These should not be easy – he even recommends avoiding names of relatives, adding symbols, and everything to keep it hard to guess.
He added always to use a different password for every account.
Mr. Sinai finally suggests to let the credit bureaus know what has happened to help them put an alert in the customer file. Banks and credit companies should be aware of the issue too, considering they could improve the customer lock their accounts and prevent further transactions that could cause thousands of dollars in damages immediately.